[strongSwan] ikev2 smartcard support

Martin Willi martin at strongswan.org
Thu Dec 2 11:15:33 CET 2010

Hi Peter,

> I'm trying to get smartcard support to work with the NetworkManager

> something seems to be missconfigured.

> found key on PKCS#11 token 'openSC':1
> using smartcard certificate 'winterer at informatik.test.de'
> initiating IKE_SA Mobile Pools Crypto Stick[1] to

The NetworkManager plugin currently has no option to specify the client
identity, it just picks one from the first certificate usable (see [1]
for details).
As I usually prefer subjectAltNames over complicated Distinguished
Names, it picks the first E-Mail subjectAltName as identity. 
We could add an option to select a specific subjectAltName (or the DN),
but this requires some amount of work.

> looking for peer configs matching
>[C=DE, O=MoPo WLAN Test, CN=vpn-mopo.vpn.test.de]...
>[winterer at informatik.test.de]
> no matching peer config found

> conn rw2-intern
>     rightid="C=DE, O=MoPo WLAN Test, CN=*"

This config won't match, it uses the full DN.

> conn mopo-sc-intern
>     rightid=@informatik.test.de

Have you tried "*@informatik.test.de"?


More information about the Users mailing list